cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Freeman Fang (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CXF-4629) Security issue with GET methods: WSS4JInInterceptor always allows HTTP Get requests from browser
Date Tue, 13 Nov 2012 23:12:13 GMT

    [ https://issues.apache.org/jira/browse/CXF-4629?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13496654#comment-13496654
] 

Freeman Fang commented on CXF-4629:
-----------------------------------

Thanks Dan for this clarification, I think you mean the URIMappingInterceptor.
And +1 for your suggestion.

Freeman


                
> Security issue with GET methods: WSS4JInInterceptor always allows HTTP Get requests from
browser
> ------------------------------------------------------------------------------------------------
>
>                 Key: CXF-4629
>                 URL: https://issues.apache.org/jira/browse/CXF-4629
>             Project: CXF
>          Issue Type: Bug
>          Components: WS-* Components
>    Affects Versions: 2.6.3, 2.7.0
>            Reporter: Oleh Faizulin
>            Assignee: Daniel Kulp
>            Priority: Critical
>
> Hello All,
> We are running CFX web services with the following configuration:
> web.xml
> {noformat}
>     <servlet>
>         <servlet-name>cxf</servlet-name>
>         <servlet-class>org.apache.cxf.transport.servlet.CXFServlet</servlet-class>
>         <load-on-startup>1</load-on-startup>
>     </servlet>
>     <servlet-mapping>
>         <servlet-name>cxf</servlet-name>
>         <url-pattern>/ls/*</url-pattern>
>     </servlet-mapping>
> {noformat}
> spring config:
> {noformat}
>     <!-- ######################################### -->
>     <beans:import resource="classpath:META-INF/cxf/cxf.xml" />
>     <beans:import resource="classpath:META-INF/cxf/cxf-servlet.xml" />
>     <beans:import resource="classpath:META-INF/cxf/cxf-extension-soap.xml" />
>     <jaxws:endpoint id="lsWebEndpoint"
>         implementor="${our endpoint class}"
>         address="/api" >
>         <jaxws:inInterceptors>
>             <bean class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor" />
>             <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
>                 <constructor-arg>
>                     <map>
>                         <entry key="action" value="UsernameToken"/>
>                         <entry key="passwordType" value="PasswordText"/>
>                         <entry key="passwordCallbackClass" value="${our password callback
impl}"/>
>                     </map>
>                 </constructor-arg>
>             </bean>
>         </jaxws:inInterceptors>
>     </jaxws:endpoint>
> {noformat}
> And we discovered that all our web services are accessible via browser (HTTP Get) without
any authentication. 
> For instance:
> {noformat}
> http://localhost:8181/ls/api/test?a=10&b=20
> {noformat}
> {noformat}
> @WebService
> public class WSEndpoint {
>     @WebMethod
>     public int test(@WebParam(name = "a") int a,
>                     @WebParam(name = "b") int b) {
>         return a + b;
>     }
> }
> {noformat}
> returns
> {noformat}
> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
> <soap:Body>
> <ns2:testResponse xmlns:ns2="${our namespace}">
> <return>30</return>
> </ns2:testResponse>
> </soap:Body>
> </soap:Envelope>
> {noformat}
> The reason is the following code in WSS4JInInterceptor:
> {noformat}
>     public final boolean isGET(SoapMessage message) {
>         String method = (String)message.get(SoapMessage.HTTP_REQUEST_METHOD);
>         return "GET".equals(method) && message.getContent(XMLStreamReader.class)
== null;
>     }
>     
>     public void handleMessage(SoapMessage msg) throws Fault {
>         if (msg.containsKey(SECURITY_PROCESSED) || isGET(msg)) {
>             return;
>         }:
>     ...
> {noformat}
> I was not able to find anything specific on google why GET methods are always allowed.
> However it's somehow related to CXF-3170:
> Please see http://cxf.547215.n5.nabble.com/svn-commit-r1062014-in-cxf-branches-2-3-x-fixes-rt-ws-security-src-main-java-org-apache-cxf-ws-secura-tt3352201.html#none
> Also i found the following thread on StackOverflow without answer:
> http://stackoverflow.com/questions/7933293/why-does-apache-cxf-ws-security-implementation-ignore-get-requests
> Please advice on this this issue.
> Regards,
> Oleh.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message